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1. A method for controlling access to a network, said method comprising: 

receiving, by an access point (AP) of said network, a request to access said network, 
said request transndtted by a client; 

re-directing, by said AP, said access request to a local server; 
5 associating unique data with an identifier of said client and storing a mapping of said 

association in said AP; 

generating a Web page by said local server requesting that said client select an 
authentication server (AS) and including said unique data and forwarding said generated 
Web page to said client; 
10 transmitting an authentication request to said selected authentication server; and 

receiving a response to said authentication request from said selected authentication 

server. 

2. The method according to claim 1, wherein said network is a wireless Local Area network 
15 (WLAN). 

3. The method according to claim 1, wherein the act of associating unique data further 
comprises: 

forwarding said identifier of said client from said local server; and 
20 generating said unique data for said client by said local server. 

4. The method according to claim 1, further comprising: 

retrieving, by said client, a re-directed URL having embedded data including a first 
digital signature, authentication parameters and said unique data and forwarding said re- 
25 directed URL to said AP; 

creating, by said AP, a second digital signature using said authentication parameters, 
said unique data and said identifier; 

comparing, by said AP, said first digital signature with said second digital signature; 
determining, by said AP, if there is a match between said first digital signature and 
30 said second digital signature; and 

performing, by said AP, one of granting network access and denying network access 
based on said match determination. 
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5. The method according to claim 1, wherein said unique data includes a session ID and a 
randomized number. 

5 6. The method according to claim 1, wherein said identifier is an address of said client. 

7. The method according to claim 1, wherein the act of authenticating further comprises: 

processing, by said AS, said authentication request, wherein said authentication 
request includes a session ID embedded in said authentication request; 
10 responding to said authentication request by forwarding to said client by said AS an 

authentication input page, said authentication input page including a request for 
authentication information; and 

receiving, by said AS, authentication credentials from said client, wherein said 
response to said authentication request forwarded to said client includes a re-direct header 
15 and a success code and associated information relevant to access of said network by said 
client 

8. The method according to claim 7, wherein the act of forwarding further comprises 
generating, by said AS, said success code and said associated information includes a first 

20 digital signature and authentication parameters. 

9. The method according to claim 5, wherein said randomized number is one of a random 
number and a pseudo-random number. 

25 10. The meUiod according to claim 1, wherein said identifier is one of a physical (PHY) 
address of said client, a MAC address of said client and an IP address of said client. 

11. The method according to claim 1, wherein said AP and said local server are co-located. 

30 12. The method according to claim 1, wherein said first and said second digital signatures are 
generated using one of a private key of said AS and a shared key between said AS and said 
local server. 
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13. The method according to claun 4, wherein said second digital signature is locally 
generated at said AP. 

5 14. A system for controlling access to a network, comprising: 

means for receiving, by an access point (AP) of said network, a request to access said 
network, said request transmitted by a client; 

means for re-directing, by said AP, said access request to a local server; 
means for associating unique data with an identifier of said client and storing a 
10 mapping of said association in said AP; 

means for generating a Web page by said local server requesting that said client select 
an authentication server (AS) and including said unique data and forwarding said generated 
Web page to said client; 

means for transmitting an authentication request to said selected authentication 
15 servCT; and 

means for receiving a response to said authentication request from said selected 
authentication server. 



15. The system according to claim 14, wherein said network is a wireless Local Area 
20 network (WLAN) and further wherein said AP and said local server are co-located, 

16. The system according to claim 14, wherein the means for associating unique data further 
comprises: 

means for forwarding said identifier of said client from said local server; and 
25 means for generating said unique data for said client by said local server. 

17. The system according to claim 14, further comprising: 

means for retrieving, by said client, a re-directed URL having embedded data 
including a first digital signature, authentication parameters and said unique data and 
30 forwarding said re-directed URL to said AP; 

means for creating, by said AP, a second digital signature using said authentication 
parameters, said unique data and said identifier; 
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means for comparing, by said AP, said first digital signature with said second digital 
signature; 

means for determining, by said AP, if there is a match between said first digital 
signature and said second digital signature; and 
5 means for performing, by said AP, one of granting network access and denying 

network access based on said match determination. 

18. The system according to claim 14, wherein said unique data includes a session ID and a 
randomized number. 

10 

19. The system according to claim 14, wherein said identifier is one of a physical (PHY) 
address of said client, a MAC address of said client and an IP address of said client. 

20. The system according to claim 14, wherein the means for authenticating further 
15 comprises: 

means for processing, by said AS, said authentication request, wherein said 
authentication request includes a session ID embedded in said authentication request ; 

means for responding to said authentication request by forwarding to said client by 
said AS an authentication input page, said authentication input page including a request for 
20 authentication information; and 

means for receiving, by said AS, authentication credentials from said client, wherein 
said response to said authentication request forwarded to said client includes a re-direct 
header and a success code and associated information relevant to access of said network by 
said client. 

25 

21. TTie system according to claim 20, wherein the means for forwarding further comprises 
generating, by said AS, said success code and said associated information including a first 
digital signature and authentication parameters. 



30 



22. The system according to claim 18, wherein said randomized number is one of a random 
number and a pseudo-random number. 
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23. The system according to claim 14, wherein said first and said second digital signatures 
are generated using one of a private key of said AS and a shared key between said AS and 
said local server. 

5 24. The system according to claim 17, wherein said second digital signature is locally 
generated at said AP. 

25. A system for controlling access to a network comprising: 
a client; 

10 an access point (AP) coupled to a local server (LS) for relaying network 

conomunications to and from the client; and 

an authentication server for performing an authentication process in response to a 
request from the client; wherein 

the AP, in response to a re-directed request to access the network from the 
15 client, associates unique data with an identifier of the client and stores a mapping of 

the association; 

the LS transmits the unique data to the client for use in authenticating the 
client via the authentication server; 

the authentication server, upon authenticating the client using the unique data, 
20 is operative to provide a re-direct header for access to the client including a digitally 

signed authentication message and authentication parameters corresponding to the 
unique data, the AP receiving the digitally signed retrieved re-directed URL and 
authratication parameters from the client and the AP further correlating the 
authentication parameters with the mapped association data for determining access to 
25 the network based on the results of the correlation. 

26. The system of claim 25, wherein the network is a wireless local area network 
(WLAN) comprising the access point and local server. 

30 27. The system of claim 25, wherein the local server generates a web page 

requesting that the client select an authentication server, and embeds the unique data in the 
web page for transmission to the client. 
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28. The system of claim 25, wherein the identifier of the client is one of a physical 
address, MAC address and an IP address, and wherein the unique data comprises a session 
ID and a randomized number. 

29. The system of claim 28, wherein the session ID and randomized number are 
generated by the local server. 

30. The system of claim 28, wherein the authentication server receives user 
credential information from the client and provides a digitally signed authentication message 
including an authentication parameters using said unique data through HTTPS to the client 
via said re-direct header to the client 

3 1 . The system of claim 30, wherein the AP, in response to receiving the digitally 
signed authentication message re-directed from the client including the authentication 
parameters and at least a portion of the unique data from the client, generates a local digital 
signature using the received portion of the unique data and the stored mapping data together 
with the authentication parameters, and compares the local digital signature with the digitally 
signed authentication message to determine network access by the client. 

32. The system of claim 25, wherein the re-direct header further comprises a 
means for re-directing a browser of the client to a URL on the network, and embedding in the 
URL said digitally signed authentication message, the authentication parameters and a 
portion of the unique data. 

33. The method according to claim 26, wherein said AP and said LS are co-located. 

34. A method for controlling access to a network, which includes a client and an 
access point for relaying network communications to and from the client, and an 
authentication server for performing an authentication process in response to a request from 
the client, the method comprising: 
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at the access point (AP), receiving a request to access the network from a client; 
associating unique data with an identifier of fee client and storing a mapping of the 
association; and providing the unique data to the client for use in authenticating the client via 
an authentication server; 
5 at the authentication server, authenticating the client using the unique data, and 

forwarding a success code to the client using a re-direct header, and including a digitally 
signed authentication message and authentication parameters corresponding to the unique 
data; and 

the access point receiving from the client according to the re-direct header the 
10 digitally signed authentication message and authentication parameters and correlating the 
authentication parameters with the mapped association data for determining access to the 
network. 

35. The method according to claim 34, wherein said network is a wireless Local Area 
15 Network (WLAN). 

36. A method for controlling access to a network, the method comprising: 
receiving, by an access point (AP) associated with the network, a request to access the 

network from a client; 

20 said access point re-directing the request to a local server associated with the network, 

the AP associating a session ID and a randomized number with an identifier associated with 
the client, and storing data mapping the session ID to the identifier associated with the client 
and the randomized number; 

providing, by said LS, an authentication input request, which includes an 

25 authentication server selection request, the session ID and the randomized number, to the 
client; 

receiving, by said AP, a re-directed request from the client in response to a re-direct 
header firom the selected authentication server, including a digitally signed authentication 
message, an authentication parameter list, and said session ID, the digitally signed 
30 authentication message being generated using the randomized number, said session ID and 
said authentication parameter list, by said selected authentication server associated with the 
client; and 
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correlating the received digitally signed authentication message with the re-directed 
request for access using the stored mapping data for controlling access by the client to the 
network. 

5 37. The method according to claim 36, wherein said network is a wireless Local Area 
Network (WLAN). 

38. The method according to claim 36, wherein said authentication input request is a Web 
page. 

10 

39. The method according to claim 36, wherein said digitally signed authentication message 
includes a re-direct header. 

40. Hie method according to claim 36, wherein a re-directed request is a retrieved re-directed 
15 URL. 

41. The method according to claim 36, wherein said AP and said LS are co-located. 



